INFORMATION TECHNOLOGY SECURITY HANDBOOK

1 IT-SECURITYINFORMATIONTECHNOLOGYSECURITY HANDBOOKbyGeorge SadowskyJames X. DempseyAlan GreenbergBarbara J. MackAlan Schwartz 2003 The International Bank for Reconstruction and Development / The World Bank1818 H Street, NWWashington, DC 20433 Telephone 202-473-1000 Internet rights findings, interpretations, and conclusions expressed herein are those of the author(s) and do not necessarily reflect the viewsof the Board of Executive Directors of the World Bank or the governments they World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, andother INFORMATION shown on any map in this work do not imply any judgment on the part of the World Bank concerning the legalstatus of any territory or the endorsement or acceptance of such HANDBOOK is distributed on the understanding that if legal or other expert assistance is required in any particular case, readers should not rely on statements made in this HANDBOOK , but should seek the services of a competent professional.

2 Neither the authors, nor the reviewers or The World Bank Group accepts responsibility for the consequences of actions taken by readers who do not seek necessary advice from competent professionals, on legal or other matters that require expert and PermissionsThe material in this work is copyrighted. Copying and/or transmitting portions or all of this work without permission may be a violation of applicable law. The World Bank encourages dissemination of its work and will normally grant permission of this publication have been extracted, with permission of the publisher, from Simson Garfinkel, Gene Spafford, and AlanSchwartz, Practical Unix and Internet SECURITY , 3rd edition, O'Reilly & Associates, Inc., February 2003, and Simson Garfinkel andGene Spafford, Web SECURITY , Privacy and Commerce, 2nd edition, O'Reilly & Associates, Inc., January permission to photocopy or reprint any part of this work, please send a request with complete INFORMATION to the Copyright Clearance Center, Inc.

3 , 222 Rosewood Drive, Danvers, MA 01923, USA, telephone 978-750-8400, fax 978-750-4470, other queries on rights and licenses, including subsidiary rights, should be addressed to the Office of the Publisher, World Bank, 1818 H Street NW, Washington, DC 20433, USA, fax 202-522-2422, e-mail Grafik, Herndon, VAISBN 0-9747888-0-5 GLOBAL INFORMATION AND communication TECHNOLOGIESDEPARTMENTTHE WORLD BANK1818 H STREET NW WASHINGTON DC 20433 FOR DEVELOPMENT PROGRAMICTOECD DACMDGsNGOWSISDotForceG8UN ICT Task ForcePDASME sHIPCFDIOECDDFIDITDGVoIPInformation and communication TechnologyOrganization for Economic Cooperation and Development's Development Assistance CommitteeMillennium Development GoalsNon Government-OrganizationWorld Summit on the INFORMATION SocietyDigital Opportunity Task Force of the G8 industrial democracies have been meeting annually since 1975 to deal with the major economic and political issues facing their domestic societies and the international community as a whole.

4 These states the G8 contain France, USA, Germany, Japan, Italy, Great Britain,Canada and since the Birmingham Summit in 1998 - Russia. United Nations INFORMATION and communication TECHNOLOGY Task ForcePersonal Digital AssistantSmall and Medium EnterprisesHighly Indebted Poor CountriesForeign Direct InvestmentOrganization for Economic Cooperation and DevelopmentDepartment for International DevelopmentIntermediate Technologies Development GroupVoice-over-Internet-ProtocolACRONYM SiiiCONTENTSI nformation TECHNOLOGY SECURITY Handbook1 PREFACE7 EXECUTIVE SUMMARY13 PART SECURITY IN THE DIGITAL AGE29 PART 2. SECURITY FOR INDIVIDUALS30 CHAPTER TO SECURITY FOR INDIVIDUALS31 CHAPTER ANDADDRESSING SECURITY35 CHAPTER YOUR COMPUTER AND DATA SECURE43 CHAPTER YOUR OPERATING SYSTEM AND APPLICATION SOFTWARE SECURE47 CHAPTER SOFTWARE53 CHAPTER 6. SECURING SERVICES OVER NETWORKS63 CHAPTER 7. TOOLS TO ENHANCE SECURITY68 CHAPTER SPECIFIC ISSUES73 ADDENDUM TO ENCODING AND ENCRYPTION77 ADDENDUM OF TECHNICAL TERMS81 PART 3.

5 SECURITY FOR ORGANIZATIONS82 CHAPTER OF E- SECURITY RISK MITIGATION94 CHAPTER EVALUATION AND LOSS ANALYSIS101 CHAPTER YOUR SECURITY NEEDS105 CHAPTER SECURITY POLICY AND PREVENTION112 CHAPTER SECURITY117 CHAPTER OUTSOURCING122 CHAPTER POLICIES LEGISLATION, AND GOVERNMENT REGULATION125 CHAPTER 9. COMPUTER CRIME130 CHAPTER RISK MANAGEMENT139 CHAPTER PRACTICES: BUILDING SECURITY CULTURE144 CHAPTER RULES FOR COMPUTER USERS150 CHAPTER DIALOGUES ON SECURITY163 PART SECURITY AND GOVERNMENT POLICIES164 CHAPTER 2. PROTECTING GOVERNMENT SYSTEMS174 CHAPTER 3. THE ROLE OF LAW AND GOVERNMENT POLICY VIS A VIS THE PRIVATE SECTOR176 CHAPTER CYBER- SECURITY POLICIES189 PART SECURITY FOR TECHNICAL ADMINISTRATORS190 CHAPTER FOR ADMINISTRATORS209 CHAPTER SECURITY220 CHAPTER SECURITY238 CHAPTER AND AUTHENTICATION266 CHAPTER SECURITY288 CHAPTER SECURITY314 CHAPTER AND DEFENSES326 CHAPTER AND MANAGING A BREAK-IN341 CHAPTER 10.

6 SYSTEM-SPECIFIC GUIDELINES351 ANNEXES 352 ANNEX RESOURCES378 ANNEX ORGANIZATIONS384 ANNEX RESOURCESvInformation TECHNOLOGY SECURITY HandbookThe Preparation of this book was fully funded by a grant from the infoDev Program of the World Bank topic of INFORMATION TECHNOLOGY (IT) SECURITY has been growing in importance in the last few years, andwell recognized by infoDev Technical Advisory Panel. We would like to thank the State Secretariat of EconomicAffairs of Switzerland (SECO) for having been instrumental not only in providing the funding for this project, butalso in recognizing the urgency of the matter and allowing this book to come to fruition. We recognize the fundamental role of Informational and communication Technologies (ICT) for social and economicdevelopment. Similarly, we recognize that there cannot be an effective use of ICT in the absence of a safe andtrusted ICT environment. Thus, IT SECURITY plays a prime role in helping creating the environment needed to set theground for implementing successful national ICT plans, e-Government or e-Commerce activities, as well as sectoralprojects, such as, for example, in the areas of education, health, or SECURITY is a complex topic and evolves almost as fast as TECHNOLOGY does.

7 The authors have succeeded in providing TECHNOLOGY -independent best practices, as well as recommendations for particular IT environments. As TECHNOLOGY evolves, the accompanying web site ( ) will provide updates as appropriate,allowing for a constant dissemination of developments in the field of IT SECURITY . While the opinions and recommen-dations made in this book do not necessarily reflect the views of infoDev or The World Bank Group, we believe thatthe combination of the book and its supporting web site will make a valuable contribution to the understanding ofIT SECURITY around the book is composed of five parts, each of which can be read independently. After an introduction to generalissues of IT SECURITY , the book addresses issues relevant specifically to individuals, small and medium organizations,government, and technical administrators. Although most of the research and publications on IT SECURITY comesfrom developed countries, the authors have attempted to provide practical guidance applicable anywhere and toinclude examples from developing countries.

8 We hope that this book and its supporting web site will provide the beginning of an interactive process, where thecontent and best practices will evolve overtime as TECHNOLOGY advances, but more importantly, as readers will sharetheir experiences and best practices with their A. Khalil Director, Global INFORMATION and communication Technologies DepartmentThe World Bank GroupBruno LanvinProgram Manager, infoDev ProgramThe World Bank GroupMichel H. MaechlerInfoDev Task ManagerSenior Informatics SpecialistThe World Bank GroupFORWARDviWalter DussVice President, swiss interactive media and software association (simsa)Managing Director, ASP Konsortium SwitzerlandWilen, SwitzerlandKurt HaeringPresidentEFSI AGBasel, Switzerland(Formerly President of Infosurance, Z rich, Switzerland)Thomas Kellermann, CISMS enior Data Risk ManagementSpecialistFinancial Sector Operations & Policy DepartmentThe World BankWashington, DC, USAW erner Lippuner, CISAS enior Manager, TECHNOLOGY and SECURITY Risk Services Public SectorErnst & Young LLPW ashington, DC, USAB ertrand Livinec, CISAP ractice Lead Sub-SaharanFrancophone Africa RegionGroup Risk Management Solutions(GRMS)

9 PriceWaterhouseCoopersParis, FranceMichel Maechler, CISA, CISMS enior Informatics SpecialistGlobal INFORMATION andCommunications TECHNOLOGY , PolicyDivisionThe World BankWashington, DC, USA Scott MusmanPresident and CEOA ugmented SystemsAlexandria, VA, USA (Formerly Director of Research andDevelopment at IMSI)David SatolaSenior CounselFinance, Private Sector Dvt, &Infrastructure Legal DepartmentThe World BankWashington, DC, USAR eview Committee MembersInformation TECHNOLOGY SECURITY HANDBOOK INFORMATIONTECHNOLOGYSECURITY HANDBOOKThe recent evolution of INFORMATION andCommunication Technologies (ICTs) and the sub-stantial innovation in the sector have resulted in a significant increase in productivity as well as theemergence of a wealth of new goods and services. As the power, capacity, and cost of microelectronics con-tinue to improve, providing a 30% gain, approximately, inproductivity and power per unit of cost each year, wehave all been beneficiaries of these trends.

10 Today we livein a digital world, where INFORMATION processing is inex-pensive and telecommunications costs are decreasing. Itis an increasingly interconnected wealth of new technical possibilities gives rise notonly to new products and more efficient and effectiveways of doing things, but also to the possibility of mis-use of the TECHNOLOGY . Like other technologies, ICTs areessentially neutral, and can be used in ways that most ofus would consider beneficial, as well as in ways that areharmful. The work of ICTs is done at microsecond speed,carrying INFORMATION invisible to the naked eye, under thecontrol of software developed by people, so harmfulintentions in this environment are often carried out rap-idly, invisibly, and are difficult, if not impossible, to problems associated with securing INFORMATION sys-tems, the processes that depend on them, and the INFORMATION that is transmitted and stored in electronic form, are not new.